scip/jaildk
1
0
Fork 0
mirror of https://codeberg.org/scip/jaildk.git synced 2025-12-18 13:11:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

various modifications to pull request #10:

Browse Source 
- re-fill paragraphs in README
- added section about booting ipfw rules
- added way to execute ipfw function from commandline (required
  for booting)
- enhanced ipfw.conf parser
- enhanced ip address parsing
- added v6 support
- added jail.conf variable support
This commit is contained in:
Thomas von Dein
2020-12-01 18:40:32 +01:00
parent cc30589b1f
commit 615939bccd
2 changed files with 79 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
README.md
View File

@@ -373,17 +373,51 @@ The last step is to remove the current running jail, change the version in `etc/
If there's anything wrong you can always go back to the previous version using the above steps. If there's anything wrong you can always go back to the previous version using the above steps.
## Advanced Features ## Advanced Features
Jaildk also offers some advanced features like automatically setting up and deleting ipfw rules or freezing and thawing a jail (to make it easily portable).
### Using the IPFW
To use the IPFW on your host you first have to enable ipfw in your hosts rc.conf `firewall_enable="YES"`.
You probably want to set the default firewalling-type there aswell, check out the [FreeBSD handbook](https://www.freebsd.org/doc/handbook/firewalls-ipfw.html) for further information.
Once enabled you also need to start ipfw by executing the rc script: `/etc/rc.d/ipfw start`.
Be aware that inter-jail communication is transfered via the loopback interface (normally lo0) for which there is a high priority allow any to any rule by default: `allow ip from any to any via lo`
In order to control the inter-jail communication you have to delete this rule first.
If an ipfw.conf exists for a jail (e.g. /jail/etc/myjail/ipfw.conf) the rules inside that config file are added when starting, and deleted when stopping the jail. Jaildk also offers some advanced features like automatically setting
E.g. allowing HTTP/HTTPS traffic for that jail (webserver): `allow tcp from any to $ip setup keep-state` up and deleting ipfw rules or freezing and thawing a jail (to make it
As demonstrated in the previous rule `$ip` is reserved and automatically replaced with the jails own ip (as reported by `jls`). easily portable).
### Using the IPFW
To use the IPFW on your host you first have to enable ipfw in your
hosts rc.conf `firewall_enable="YES"`. You probably want to set the
default firewalling-type there aswell, check out the
[FreeBSD handbook](https://www.freebsd.org/doc/handbook/firewalls-ipfw.html)
for further information.
Once enabled you also need to start ipfw by executing the rc script:
`/etc/rc.d/ipfw start`.
Be aware that inter-jail communication is transfered via the loopback
interface (normally lo0) for which there is a high priority allow any
to any rule by default:
`allow ip from any to any via lo`
In order to control the inter-jail communication you have to delete
this rule first.
If an ipfw.conf exists for a jail (e.g. /jail/etc/myjail/ipfw.conf)
the rules inside that config file are added when starting, and deleted
when stopping the jail. E.g. allowing HTTP/HTTPS traffic for that
jail (webserver):
`allow tcp from any to $ip setup keep-state`
As demonstrated in the previous rule `$ip` is reserved and
automatically replaced with the jails own ip (as reported by
`jls`). The same applies to the ipv6 address which will be available
as variable `$ip6`. Also, all variables in the jails `jail.conf` can
be used.
In order to make these ipfw rules available on boot, you need to add
the following line to `/etc/jail.conf` in the section of the jail
which uses custom ipfw rules:
`exec.prestart = "/jail/bin/jaildk ipfw $name"`
## Getting help ## Getting help

43
jaildk
View File

@@ -29,6 +29,7 @@ stop <jail> - stop a jail
restart <jail> - restart a jail restart <jail> - restart a jail
status [<jail>] - display a jail's status status [<jail>] - display a jail's status
rc <jail> <mode> [-r <rc.d script>] - execute an rc-script inside a jail rc <jail> <mode> [-r <rc.d script>] - execute an rc-script inside a jail
ipfw <jail> <mode> - add or remove ipfw rules
${beg}Managing Jails:${end} ${beg}Managing Jails:${end}
login <jail> [<user>] - login into a jail login <jail> [<user>] - login into a jail
@@ -380,6 +381,8 @@ jaildk_rc_mount() {
done done
} }
usage_install() { usage_install() {
fin "Usage: $0 install <jail> [<mode>] [-r rc-function] fin "Usage: $0 install <jail> [<mode>] [-r rc-function]
Install <jail> according to its config. Options: Install <jail> according to its config. Options:
@@ -1169,7 +1172,6 @@ home/$name/root-$version $name/root nullfs rw' >
touch $j/etc/.template/ipfw.conf touch $j/etc/.template/ipfw.conf
bold "creating template config $j/etc/.template/mtree.conf" bold "creating template config $j/etc/.template/mtree.conf"
# touch $j/etc/.template/mtree.conf
echo '/set type=dir uid=0 gid=0 mode=01777 echo '/set type=dir uid=0 gid=0 mode=01777
. type=dir mode=0755 . type=dir mode=0755
tmp tmp
@@ -1466,10 +1468,24 @@ jaildk_thaw() {
bold "Done. Thawed jail $jail $version from $image." bold "Done. Thawed jail $jail $version from $image."
} }
usage_ipfw() {
echo "Usage: $0 ipfw <jail> <mode>
[Un]install ipfw rules. <mode> can be start or stop.
The jail needs to have a ipfw.conf file, containing
ipfw rules. You can use variables like \$ip and \$ip6
and you need to omit the 'ipfw add' of the command."
exit 1
}
jaildk_ipfw() { jaildk_ipfw() {
jail=$1 jail=$1
mode=$2 mode=$2
if [ -f "$j/etc/$jail/ipfw.conf" ]; then
if test -z "$mode"; then
usage_ipfw
fi
if test -f "$j/etc/$jail/ipfw.conf"; then
echo echo
bold "Managing IPFW Rules..." bold "Managing IPFW Rules..."
case $mode in case $mode in
@@ -1488,11 +1504,24 @@ jaildk_ipfw() {
jaildk_ipfw_add() { jaildk_ipfw_add() {
jail=$1 jail=$1
# Getting current jails IP..
jailip=$(jls | grep -E "$jail\$" | awk '{print $2}')
# Adding rules
cat $j/etc/$jail/ipfw.conf | awk -v jailname="$jail" '{print "ipfw add "$0" // " jailname}' | sed -E "s/\\\$ip/$jailip/g" | while read rule; do $rule; done
# support jail variables as well
load-jail-config $jail
# Getting current jails IP..
ip=`jls -n -j $jail ip4.addr | cut -d= -f2`
if test -z "$ip"; then
die "Jail $jail doesn't have an ipv4 address!"
fi
ip6=`jls -n -j $jail ip6.addr | cut -d= -f2` # optional, no checks
# Adding rules
egrep "^[a-z]" $j/etc/$jail/ipfw.conf | while read LINE; do
rule=$(eval echo "ipfw add $LINE // $jail")
echo $rule
$rule
done
} }
jaildk_ipfw_delete() { jaildk_ipfw_delete() {
@@ -1529,7 +1558,7 @@ case $runner in
start|stop|status|restart) start|stop|status|restart)
jaildk_jail $runner $* jaildk_jail $runner $*
;; ;;
setup|reinstall|install|uninstall|build|blogin|login|clone|create|remove|rc|base|fetch|freeze|thaw) setup|reinstall|install|uninstall|build|blogin|login|clone|create|remove|rc|base|fetch|freeze|thaw|ipfw)
jaildk_$runner $* jaildk_$runner $*
;; ;;
help) help)